commit 93b188a95f1da119769a1165086b7d2912603470
Author: Greg Kroah-Hartman <gregkh@suse.de>
Date: Tue Nov 8 11:22:55 2005 -0800
Linux 2.6.14.1
commit e4e0411221c7d4f2bd82fa5e21745f927a1bff28
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Tue Nov 8 15:03:46 2005 +0000
[PATCH] CVE-2005-2709 sysctl unregistration oops
You could open the /proc/sys/net/ipv4/conf/<if>/<whatever> file, then
wait for interface to go away, try to grab as much memory as possible in
hope to hit the (kfreed) ctl_table. Then fill it with pointers to your
function. Then do read from file you've opened and if you are lucky,
you'll get it called as ->proc_handler() in kernel mode.
So this is at least an Oops and possibly more. It does depend on an
interface going away though, so less of a security risk than it would
otherwise be.
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
www.fiveanddime.net
